Google Project Zero Continues Its Microsoft Zero-Day Assault

Google's Project Zero security research team publicly discloses another pair of Microsoft zero-day flaws. But what are the actual risks?

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

zero-day attacks

Google's Project Zero security research team has once again put Microsoft users at risk by publicly disclosing a pair of new zero-day vulnerabilities on Jan. 15.

Google's Project Zero has a policy of automatically disclosing vulnerabilities 90 days after they have been reported to a vendor. Google reported the two new security issues to Microsoft on Oct. 17, 2014, putting the 90-day deadline date for disclosure at Jan. 15. The two new security vulnerabilities include Google Security Research issue #127, which is identified as a security bypass flaw in Windows 7.

"You can impersonate an administrator's token as a normal user (through linked token or kidnapping a system token) and call the protected functions," Google's advisory states. "On Windows 8+ the SeTokenIsAdmin method has been changed to check for the impersonation level so it's not vulnerable."

Google's advisory on issue #127 also notes that "it isn't clear if this has a serious security impact or not."

In a Microsoft statement emailed to eWEEK, a Microsoft spokesperson commented that Microsoft is not planning on addressing Google Security Research issue #127, which may allow access to information about power settings, with a security bulletin.

The second zero-day is Google Security Research issue #128, identified as a security bypass, information disclosure flaw.

"The function CryptProtectMemory allows an application to encrypt memory for one of three scenarios, process, logon session and computer," Google warns in its advisory. "The issue is the implementation in CNG.sys doesn't check the impersonation level of the token when capturing the logon session id (using SeQueryAuthenticationIdToken) so a normal user can impersonate at Identification level and decrypt or encrypt data for that logon session."

For its part, Microsoft isn't too worried about either flaw, though a fix is in the works for issue #128. "We are not aware of any cyberattacks using the two cases publicly disclosed," the Microsoft spokesperson stated.

Microsoft noted that, while it is working to address the CryptProtectMemory bypass issue (Google Security Research issue #128), it is not a flaw that is easily exploitable.

"Customers should keep in mind that to successfully exploit this, a would-be attacker would need to use another vulnerability first," Microsoft's spokesperson stated.

The two new zero-day flaws disclosed by Google Project Zero bring the total tally of zero-day Microsoft flaws that the Google group has publicly revealed to four. On Dec. 30, Google chastise Google over its disclosure policy.

As it turns out, both the Dec. 30 and the Jan. 11 flaws were fixed by Microsoft in the first Patch Tuesday of 2015, which came out on Jan. 13.

"I think there must have been a problem in the communication between Microsoft and Google because it seems that the patch was available within a quite short timeframe of the 90-day limit date," Wolfgang Kandek, CTO of Qualys, told eWEEK on Jan. 13.

Given the two new issues disclosed on Jan. 15, it would appear that the communication between Microsoft and Google on coordinated disclosure has yet to improve.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.